
package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;

import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;


/**
 * Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
 * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
 * published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
 * and/or redistribute this software.
 * 
 */

/*************************************************/
/*												 */
/* This file is not currently used in the course */
/*												 */
/*************************************************/

public class EditProfile_i extends EditProfile
{
	public EditProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName)
	{
		super(lesson, lessonName, actionName);
	}

	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
	{
		// Query the database to determine if this employee has access to this function
		// Query the database for the profile data of the given employee if "owned" by the given
		// user

		Employee profile = null;

		if (s.isAuthorizedInLesson(userId, RoleBasedAccessControl.EDITPROFILE_ACTION)) // FIX
		{
			// Query the database for the profile data of the given employee
			try
			{
				String query = "SELECT * FROM employee WHERE userid = ?";

				try
				{
					PreparedStatement answer_statement = WebSession.getConnection(s)
							.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
					answer_statement.setInt(1, subjectUserId);
					ResultSet answer_results = answer_statement.executeQuery();
					if (answer_results.next())
					{
						// Note: Do NOT get the password field.
						profile = new Employee(
							answer_results.getInt("userid"), 
							answer_results.getString("first_name"),
							answer_results.getString("last_name"), 
							answer_results.getString("ssn"), 
							answer_results.getString("title"), 
							answer_results.getString("phone"), 
							answer_results.getString("address1"), 
							answer_results.getString("address2"), 
							answer_results.getInt("manager"), 
							answer_results.getString("start_date"), 
							answer_results.getInt("salary"), 
							answer_results.getString("ccn"), 
							answer_results.getInt("ccn_limit"), 
							answer_results.getString("disciplined_date"),
							answer_results.getString("disciplined_notes"), 
							answer_results.getString("personal_description"));
						/*
						 * System.out.println("Retrieved employee from db: " +
						 * profile.getFirstName() + " " + profile.getLastName() + " (" +
						 * profile.getId() + ")");
						 */}
				} catch (SQLException sqle)
				{
					s.setMessage("Error getting employee profile");
					sqle.printStackTrace();
				}
			} catch (Exception e)
			{
				s.setMessage("Error getting employee profile");
				e.printStackTrace();
			}
		}
		else
		{
			throw new UnauthorizedException(); // FIX
		}

		return profile;
	}

}
